In a significant move by Fortinet, the upcoming FortiOS version 7.4.4 introduces a pivotal change affecting numerous FortiGate devices. Users planning to upgrade need to be aware of the substantial shift from proxy-based features, which will no longer be supported under this new firmware version.
What Changes with FortiOS 7.4.4?
FortiOS 7.4.4 marks the end of support for all proxy-based functionalities. This decision impacts devices with 2GB of RAM or less. For users currently utilizing these features, it’s crucial to note that any configurations related to proxy-based services will not be retained after the upgrade.
Firewall Policies
When configuring firewall rules in a FortiOS 7.4.4 environment, users might encounter a significant change in how rules are processed. Although the user interface allows for rules to be set to proxy-based (assuming set gui-proxy-inspection is activated), this setting unfortunately does not influence the behavior of the firewall in practice. This apparent discrepancy in the GUI strongly suggests a bug, as rules that are intended to be proxy-based are instead processed as flow-based.
Security Profiles
Although proxy-based security profiles can still be created and configured on FortiOS 7.4.4, the proxy-based function configured in it is not taken into account during processing.
What exactly happens, if you upgrade from a previous version to FortiOS 7.4.4 is documented in this article.
Explicit Proxy
In addition, the explicit proxy option is now completely greyed out under ‘Feature Visibility’ and cannot be activated. If this feature was enabled prior to the FortiOS 7.4.4 update, all associated rules will be deleted and cannot be recreated. This change significantly limits the configuration options for network administrators who rely on explicit proxy settings.
How to Check Your Device’s RAM?
Before deciding to upgrade, you should verify the amount of RAM in your FortiGate device. This can be done through the Command Line Interface (CLI) with the following command:
get system performance status | grep Memory
This command will provide details about the system’s performance, including the installed RAM, allowing you to determine if your device will be affected by the new update:
fgt01 # get system performance status | grep Memory
Memory: 3806668k total, 1596088k used (41.9%), 1932164k free (50.8%), 278416k freeable (7.3%)
fgt01 # diag hardware sysinfo conserve | grep "total RAM:"
total RAM: 3717 MB
Affected Devices
The discontinuation of proxy-based features primarily affects entry-level FortiGate models with equal or less than 2GB of RAM. The list of affected devices includes:
- FortiGate Rugged-35D
- FortiGate/FortiWiFi 40F
- FortiGate/FortiWiFi 40F-3G4G
- FortiGate/FortiWiFi 50G
- FortiGate/FortiWiFi 60/61F
- FortiGate Rugged-60F/-3G4G
- FortiGate Rugged-60F/-3G4G Gen2
- FortiGate Rugged-60F/-3G4G Gen3
- FortiGate Rugged-60F/-3G4G Gen4
Not affected are appliances from FortiGate Rugged-60F/-3G4G Gen5 and up.
Not affected are appliances from FortiGate 70/71F and higher models.
Affected Firewall Features
After upgrade to FortiOS 7.4.4 or later, the following proxy features are no longer supported on impacted devices, since they are depending from proxy based inspection:
- Zero Trust Network Access (ZTNA)
- UTM profile with proxy-based inspection mode
- Firewall policy with proxy-based inspection mode
- Explicit and transparent proxies
- Virtual server load balance
- Proxy-only UTM profiles:
- Video Filter
- Inline CASB
- ICAP
- Web application firewall (WAF)
- SSH Filter
- WAN optimization
Exceptions to the Rule
Virtual Machines
FortiGate Virtual Machines (VMs) that operate with 2 GB of RAM or less are not subject to this change. These VMs will continue to support proxy-related features even after the upgrade to FortiOS 7.4.4.
FortiOS 7.2 or 7.0 appliances
As per now, FortiGate appliances running FortiOS 7.0.x and 7.2.x or earlier are not limited by this restriction. Only FortiOS 7.4.4 and higher are affected.
If you want to ensure, that the proxy based inspection is still working, you can execute the following CLI command to list all sessions with proxy based sessions applied. Please open a proxy inspection based session passing over the FortiGate before executing the command:
diag sys session list | grep state=redir
To show more details to the sessions, you can run:
diag sys session list | grep state=redir -A15 -B5
Additional Information
Administration Guide: https://docs.fortinet.com/document/fortigate/7.4.4/administration-guide/519079/proxy-related-features-not-supported-on-fortigate-2-gb-ram-models-new
New features guide: https://docs.fortinet.com/document/fortigate/7.4.0/new-features/519079/proxy-related-features-no-longer-supported-on-fortigate-2gb-ram-models-7-4-4
Admin Guide: https://docs.fortinet.com/document/fortigate/7.4.4/administration-guide/519079
I have a similar issue on a 61E. After the upgrade to the 7.2.8 firmware ZTNA and other proxy features where not visible in gui anymore. After activating the feature again, which was greyed out until enabling set gui-proxy-inspection, I did see the policies again in gui. But do they realy are taking into account when processing?
Dear Daniel
Thank you for your comment.
We do not provide support on our blog. Please open a support ticket in our partner area, we are happy to help you with your question.
Have a nice day.
Kind regards from the
Boll Tech Team